A New EO Updates Privacy Shield for EU, US Data Sharing
The EU GDPR privacy regulation generally permits the transfer of personal data about a resident of one country to a host in another country provided that the receiving country provides “adequate protection” for the privacy and security of that data. While there is a general principle that data privacy laws should not be used to impede the transnational transfer or access to privacy-related data, EU countries—and the EU Court of Justice in the Schrems II decision—expressed concern that personal data about EU persons, if transferred to companies within the United States, would be subject to compelled disclosure to U.S. intelligence or law enforcement agencies in a manner that was inconsistent with EU privacy law. As a result, the Schrems II decision threatened to upend U.S. and EU data transfers and balkanize the collection and use of personal data. Since then, both the U.S. and the EU have been in discussions about how the U.S. could provide legally enforceable assurance to EU countries and their citizens that their data would be safe from unreasonable compelled production if the data was transferred to, or was accessible by U.S. companies.
What’s at Stake
Data transfers between the U.S. and the EU, as well as between other countries with strong and enforceable data privacy laws, are incredibly common. Cloud-based data centers, multinational corporations, affiliates and subsidiaries, as well as transnational marketing programs, data processing and communications essentially mean that both the Internet and the data that travels through it does not care about national borders. On the other hand, each nation has the ability to regulate entities within or subject to its jurisdiction, and to compel entities subject to its laws to produce records with the appropriate process. As a result, while Germany may provide strong privacy protections and other rights (including the right to be forgotten, to have access to the data collected about you, to control how that data is used, how long it is maintained and to be informed of the reasons the data is being collected) if that ‘German’ data is transferred to, say, Germantown, Ohio, it may be subject to compelled production from a Montgomery County, Ohio court. Moreover, while some states like California, Colorado, Connecticut, Utah and Virginia have passed comprehensive data privacy laws which afford many of the same protections as the EU GDPR, U.S. data privacy law still represents a patchwork quilt of privacy protections.
The Privacy Shield program was intended to address this problem by having U.S. companies that wanted to transfer certain protected data from the EU to the U.S. agree to legally enforceable privacy protection standards that were aligned with the GDPR requirements.
Unfortunately, U.S. government agencies in general—and the intelligence agencies in particular—were not bound by the strictures of Privacy Shield. NSA and CIA surveillance programs as well as FISA wiretaps, warrants and subpoenas or compelled production under EO 12333 and National Security Letters (NSLs) could all be used to compel U.S. entities to produce massive amounts of personal information about EU residents—data which would otherwise have been protected under GDPR—to the U.S. government despite the Privacy Shield requirements. The Shrems II decision of the EU Court of Justice (CJEU) determined that, in light of these powers of the U.S. intelligence community, GDPR-protected data was not safe in the hands of U.S. companies or on U.S. servers and violated the EU Charter of Fundamental Rights—a decision that threatened to upend all trans-border transfers of data. One primary concern of the EU Court was the fact that the Privacy Shield provisions were not judicially enforceable and, therefore, that EU residents harmed by the improper access to their personal data lacked actionable judicial recourse. In short, U.S. data privacy protections were not “adequate” to meet GDPR standards.
A Resolution
On October 7, 2022, the White House announced a new executive order and DOJ regulations augmenting the Privacy Shield provisions to bring the U.S. in line with what the EU would consider “adequate” protections for the privacy of EU residents. Of note, it creates a new Data Protection Review Court within the U.S. Department of Justice to review determinations made by the Civil Liberties Protection Officer of the Office of the Director of National Intelligence. In theory, the court—while not a Title III Court and therefore a creature of the executive branch (reporting to the attorney general)—will be somewhat independent from the AG, and its members will neither be supervised by or removed by the AG, for the most part. This “court” is intended to address the concerns expressed by the Schrems II decision and provide at least some redress to EU residents alleging harm from U.S. surveillance and interception activities.
The executive order largely builds upon and expands the existing limitations on surveillance embodied in Presidential Policy Directive 28 (PPD-28), (which established non-binding principles on the collection of bulk signals intelligence) issued during the Obama administration.
The EO replaces the “Privacy Shield” with a new EU-U.S. Data Privacy Protection Framework.
The new executive order and regulations issued this month also addressed other concerns raised by EU privacy regulators concerning the U.S. intelligence agencies.
U.S. intelligence agencies agreed to conduct surveillance activities only to the extent that they are both necessary and proportionate to bring them in line with EU requirements that personal data collected be both for a legitimate purpose (necessary) and that the collection includes only the minimum necessary to achieve that purpose (“proportionate”). This is largely a semantic difference, as U.S. collection practices—to conform with law and regulation (including the Fourth Amendment “reasonableness” standard) have long asserted that they are reasonable. However, by expressly using the terms used by GDPR (or reflecting those specific data collection principles) the U.S. intelligence community data collection practices can now be measured by how well they comply with EU privacy regimes. The EO does state, however, that the degree to which the U.S. agencies are adhering to these requirements will be interpreted exclusively in light of United States law.
A New Complaint Process/A New Court for Intelligence Activities
As part of the requirement that U.S. surveillance and data collection be “legitimate”, the new EO noted that intelligence surveillance activities may be conducted only if they are done in pursuit of specific and enumerated objectives. These include things like counterterrorism investigations, national security threats including collecting data related to adversaries’ capabilities and intentions and similar objectives. While the U.S. intelligence agencies may target EU or other foreign persons abroad, this cannot simply be a fishing expedition and the EO, at least in theory, limits bulk data collection—particularly on those not targeted. However, it appears that if such bulk data collection is necessary to achieve the national security goals of the U.S., it may still be pursued under the EO. The new order also specified how the intelligence community will store and secure data collected and provides for civil liberties and security oversight for data protection.
The new EO grants EU individuals the right to lodge a complaint with a new Civil Liberties Protection Officer (CLPO) within the U.S. intelligence community—similar to the role of a chief privacy officer within an EU company. The CLPO within the Office of the Director of National Intelligence (ODNI) is responsible for ensuring compliance by U.S. intelligence agencies with privacy laws and regulations (including agreements) and protection of the fundamental rights of EU persons. Significantly, a complainant will not need to establish legal standing to sue before filing a complaint—addressing the concern that a person “harmed” by the practice of a U.S. intelligence agency would never know that they were subject to unlawful surveillance or data collection and, therefore, could not file a complaint.
The EO creates the aforementioned semi-independent Data Protection Review Court within the Department of Justice, with the authority to investigate complaints from EU individuals, including to obtain relevant information from intelligence agencies and compel binding remedial measures. The DPRC also has the power to select special advocates to represent the interests of the complainant—similar to the role of the Privacy and Civil Liberties Review Board in advocating for the public interest in privacy and data protection.
Is it Safe?
The Shrems II decision is not automatically vacated because of the new DOJ regulation and presidential executive order. The court still needs to make a determination that the new procedures adequately protect the privacy, civil liberties and fundamental rights of EU persons in order to formally permit trans-border data flows under the GDPR. However, since the remedy was directly tailored to address the Shrems II concerns, it is likely—but not inevitable—that such a determination will be made. It may take a few months for such a finding to be formally made and adopted.
In the meantime, U.S. entities wishing to transfer data can still rely on either the Privacy Shield (renamed EU-U.S. Data Privacy Framework) for such transfers. Agreements that refer to ‘Privacy Shield’ or compliance should be updated with the new name, but no real substantive changes are required. If you were compliant with the Shield as reflected by the U.S. Department of Commerce, you are compliant with the framework.
Another way of transferring data is through the use of binding corporate rules and standard contract clauses. These contract clauses typically permit the transfer of data outside the EU provided they comply with the EU standards, and companies seeking to send or receive EU data should execute such agreements as soon as possible. Binding corporate rules are data protection policies adhered to by companies established within the EU that relate to the transfer of personal data about EU persons to entities outside the EU and must include all of the data protection, privacy, transfer and other rights consistent with the GDPR requirements, and must be both binding and enforceable. However, in light of Shrems II, the mere existence of BCRs or SCCs was not enough to protect the privacy and security of data—particularly from the U.S. intelligence community. As a result, companies, in addition to BCRs and SCCs, implemented a procedure using transfer impact assessments (TIAs)—a set of templates to determine the risk that a transfer might have to the privacy of data. These templates https://iapp.org/media/resource_center/eu_scc_transfer_impact_assessment.xlsx address the nature of the data transferred, the nation to which it is transferred, and the nature of the protections (technical, legal, administrative, etc.) provided to that data. Again, this is intended to provide for “adequacy” of privacy and security in the wake of Shrems II court determination of the lack of adequate protections. If the EU parliament and courts find the EO and regulations adequate, TIAs may no longer be required for companies to be compliant.
Conclusion
Entities seeking to transfer data from the EU still must establish that they can and will comply with the principles established by GDPR and that they are bound by law to do so. The new executive order and regulations close a significant gap in the adequacy of these legal protections, but companies holding EU data must continue to commit to adhering to data protection principles.
